A control is a measure you put in place to reduce a risk. It's what turns a theoretical analysis into actual security. Without documented controls, your risk register is just a list of fears.
Each control plays a different role in the chain of defence. A solid security programme combines all four.
Stops the risk from materialising. First line of defence.
Examples: MFA, disk encryption, network segmentation, code review, phishing awareness.
Signals that a suspicious or abnormal event has occurred.
Examples: EDR/AV, SIEM, uptime monitoring, log audits, email DLP.
Repairs or restores normal operation after an incident.
Examples: backups, incident response plan, business continuity plan, breach notification procedure.
Limits financial or reputational impact when prevention isn't possible.
Examples: cyber insurance, 24/7 support contracts, outsourced crisis comms.
A control is scored on two distinct axes. This is a critical nuance auditors always check.
Is the control well designed on paper? Does it actually cover the risk?
A 4-character password policy has bad design, regardless of whether it's enforced.
Does the control actually run day-to-day? Is it applied, monitored, kept current?
MFA configured but disabled on half the accounts has low operating effectiveness, even if design is perfect.
- Link every control to the risks it covers — one control can serve several risks.
- Document the controls you ALREADY have before imagining new ones.
- For ISO 27001, schedule annual re-assessment of each control's effectiveness ("Next assessment" field).
- Link each control to the compliance requirements (NIS2 article X.Y, ISO clause 8.3...) it satisfies.